From: Jesse Michael <jesse.michael@comcast.net>

Acked-By: Steve Beattie <sbeattie@ubuntu.com> The format of audit messages that are redirected to syslog because auditd isn't running changed between Hardy and Intrepid and now have the type=NNNN field before the audit tag like-- Nov 1 22:24:43 box kernel: [ 158.113592] type=1503 audit(1225603483.635:5): operation="inode_permission" requested_mask="r::" denied_mask="r::" fsuid=7 name="/proc/7034/net/" pid=7034 profile="/usr/sbin/cupsd" I believe this patch will address the moved type=NNNN field as well as capturing non-matching logfile input instead of printing it to stdout. Patch modified by Steve Beattie <sbeattie@ubuntu.com> to take into account a couple of different situations. https://bugs.launchpad.net/bugs/271252 https://bugzilla.novell.com/show_bug.cgi?id=441381
2025-03-04 08:24:42 +01:00 · 2008-11-04 20:19:59 +00:00 · 2008-11-04 20:19:59 +00:00 · e56ed9a68a
commit e56ed9a68a
parent e6e3447c19
2 changed files with 10 additions and 0 deletions
--- a/libraries/libapparmor/src/grammar.y
+++ b/libraries/libapparmor/src/grammar.y
@ -187,8 +187,12 @@ syslog_type:
 	  { ret_record->version = AA_RECORD_SYNTAX_V1; }
 	| syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id key_list
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
+	| syslog_date TOK_ID TOK_SYSLOG_KERNEL key_type audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
 	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP audit_id key_list
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
+	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
 	;

 /* when audit dispatches a message it doesn't prepend the audit type string */
@ -416,6 +420,9 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 key_pid: TOK_KEY_PID TOK_EQUALS TOK_DIGITS { ret_record->pid = $3; }
 	;

+key_type: TOK_KEY_TYPE TOK_EQUALS TOK_DIGITS { ret_record->event = lookup_aa_event($3); }
+	;
+
 safe_string: TOK_QUOTED_STRING
 	| TOK_HEXSTRING
 	;
--- a/libraries/libapparmor/src/scanner.l
+++ b/libraries/libapparmor/src/scanner.l
@ -229,6 +229,7 @@ char *string_buf_ptr = string_buf; /* assignment to quiet gcc warning */
 			      BEGIN(other_audit);
 			      return(TOK_TYPE_OTHER);
 			}
+	.		{ BEGIN(unknown_message); yyless(0); /* dump the rest */ }
 	}

 {equals}		{ return(TOK_EQUALS); }
@ -297,6 +298,8 @@ char *string_buf_ptr = string_buf; /* assignment to quiet gcc warning */
 {null_complain}		{ return(TOK_NULL_COMPLAIN); }
 {key_image}		{ BEGIN(sub_id); return(TOK_KEY_IMAGE); }

+.			{ /* ignore any non-matched input */ BEGIN(unknown_message); yyless(0); }
+
 <hostname>{
 	{ws}+		{ /* eat whitespace */ }
 	{syslog_hostname} { yylval->t_str = strdup(yytext); BEGIN(INITIAL); return(TOK_ID); }